I'm having trouble with user accounts on my network.

Now, in the past I have always made sure that I do not keep a record of the user's passwords. I don't want to know their passwords, and having a comprehensive list of unencrypted passwords lying around is a security risk. So I create a randomized password which I give only to them, and do not keep a copy of it myself.

Suddenly I'm in a situation where it would be easier if I had all their passwords and could reset all their accounts at once, instead of trying to get them to change their passwords individually. Trying to get all my users to do something at the same time is like herding cats. I won't go into the technical details of why I need to recover their passwords, just take it on faith that I'd like to do a password recovery, and I'd like to do it in one fell swoop without having to ask each user to do something or to supply me with their password verbally.

Please note: Do not come back and say "why don't you just reset all the passwords if you're the administrator?" or other attempts at help that don't involve the recovery... Because the problem is much more detailed and technical than that, and I'm not giving you all the information. I'm just setting the stage for you: I want to do a recovery and I have good reasons for wanting to do this.

I'm trying to use this piece of software to do a brute-force on the password list. I've already extracted the hashes and I've got John.exe properly working to do brute force runs against the list of hashes. It's all working as intended.

The trick is that I want to speed up the brute force run. Because it just so happens that when I created the randomized passwords, I did so in a specific pattern that won't easily fall to a brute-force attack... unless you know the pattern and can program your brute-forcer to follow it.

The thing is, John.exe is programmable with all sorts of options. I just don't know how to program it for this particular pattern. It's hard to follow its documentation. I'm wondering if anyone else has used this program and if they know how to program it for a special pattern. Or if they can look at its dox and grok it better than I can. (By the way, I got no reply from the program's author when I asked the same question.)

I won't reveal the pattern publicly, but if anyone is willing to help me with this after they've seen the documentation for John.exe, PM me and we can talk directly about it.

Thanks in advance!

Now tell the truth, tfab, who's account are you trying to hack?

Just the users whose passwords I assigned to them in the first place. On a server which I control. As I explained, I deliberately don't keep those passwords myself, and now that policy is coming back to bite me in the ass.

Question: do they still know their passwords? Even if they do not, is it embedded in their browsers / workstations? You could set up a sniffer and turn off the password encryption options of the server so that the passwords cross in clear text. Capture it with the sniffer. You can even reboot the server to force them all to re-login...

That's not a bad idea at all.

Hm. I don't want to install Ethereal directly on the domain controller, though. It puts a driver in place and I would really like to not add extra drivers to this mission-critical server that happens to be stable at the moment.

I suppose I could temporarily move the server off of the switch and onto a hub so that I can do the sniffing from an adjacent PC.

So I wonder where, in NT4, I turn off the NTLM encryption? I'll have to hunt for that...

L0phtcrack is your friend in situations like these. I believe that you can set the pattern you like and crack away. It can also sniff across the network for logins etc.

http://www.atstake.com/products/lc/

Good point. Lophtcrack is very good. I remember playing with it once before. Never very seriously, but enough to see that it worked quite well.

Does this help for the location?

Edited for better link.

Thanks, Dahlhana, I'll give LC4 a look.

Thanks, Paul, it looks like, from that link, even if I do dumb down the encryption level, it's still not in plain text. So the sniffer route isn't going to make it much easier.

I don't think you can turn off NTLM encryption altogether- at least not without turning it off on the clients too. And even with l0phtcrack and capturning hashes you would never get all the password- more like 80% of them -maybe less if your users actually picked out good passwords. The best idea IMO would be to make a script that sends out a messenger service notify box every XX minutes to the users saying "Hey you must go to this web page and change your password" The web page would both change their passwords and record them clear text for you. Maybe use policies to set their homepage to be that password changing page for a while. I know you didn't want "human solutions" to this problem but sometimes those are the only solutions...

So, I gather that this is a windows server since you mention .exe's and 'domain controller.' So, if you are the Administrator, then why can't you just reset their passwords? You don't need a user's password to reset it to something else if you are the administrator of the server that those user accounts live on. So, you could reset all their passwords, and then send them the new passwords; then, you could set it so that each user must change their password the next time they log in.

Or am I just missing something big here?

So, if you are the Administrator, then why can't you just reset their passwords? (...)
Or am I just missing something big here?

Yes, you're missing the part in the first post where I said "Please note: Do not come back and say "why don't you just reset all the passwords if you're the administrator?""

Question: are your users used to the concept of password aging? Maybe you can age out all of their old passwords so they require new ones.

That's exactly what I'm trying to avoid doing. Sure I could reset everything but I don't WANT to. I want them to keep the same passwords on this other, unrelated system (which I do NOT control). But that other system got screwed up and I'm going to have to enter the passwords en masse and I just want the fricking list so I can make the transition painless for my users.

Can't you just copy the SAM files over?

No, because it's an unrelated system that is not controlled by me. All I want to do is set up my current users so that their current passwords work on that new system.

Any kind of trust relationships between your system and the other one? I am just trying to see if there is a way the other box will accept your authentication without having to redo any passwords.

No. Like I said, it's a completely UNRELATED system.

And besides, LC4 already has two of the passwords and is churning on the rest...

I'll probably do an overnight run of LC4 on my faster system and have them all by tomorrow morning.

Cool! I have to take a look at that cracker. It has been a while since I looked at it, and it seems pretty strong.

Interestingly, LC4 is merely doing a brute-force churn. I'm unable to program any sort of a pattern into it. In theory, if I were able to give it my pattern, it would have them all in a scant couple of hours. But currently it's saying it'll take over a day to do the whole list. I'm going to put it on a system that's about 6 times faster than this one, so an overnight run should be enough.

Yes, you're missing the part in the first post where I said...

Ha ha, oops! I even read the original post many times. That sentence must have been right in my retinal blind spot.

Bitt Faulk has kindly provided the pseudo-C code which programs John.exe to do what I wanted it to do (base its brute force crack on my assigned pattern). So I've now got a fast crack that should be done by the end of the day. I've got four passwords so far and it's churning quickly through the rest.

Thanks very much everyone for all your help!

Out of curiosity...approximately how many users at how many locations are we talking about?

About 20-30 users, all in my location, spread across two floors of my building.

/me laughs. I would have just gone around with a clipboard. Could have been done in 45 min. instead of two days. Although, admittedly, your solution is much cooler technically.

As an aside: I did the same thing you're doing at an ISP I worked at. We went with a new administration package that needed to know the passwords for our several hundred dialup customers, and we didn't keep them in plain text. I ran a brute force cracker on them for a few days and ended up only having to get about 20 of them to "reset their password for security purposes." Most of the passwords were easy stuff like "larry" or "fish" or something equally inane.

Sure would be easier under Unix where you could just recreate users and copy the encrypted passwords over.

Sure would be easier under Unix where you could just recreate users and copy the encrypted passwords over.

Remember...he doesn't control the other system. I'm assuming that means he can't add or delete users and certainly couldn't access the passwd and shadow files.

I would have just gone around with a clipboard.

Well, there are a few reasons I didn't want to go around with the clipboard. Some of the users aren't here (vacation, etc.), some work odd hours and it's hard to nail them down, others are remote dial-ins, etc. Cat herding, like I said.

I really didn't want to do all that leg work, I didn't want to make the users uneasy about giving out a password that I previously kept deliberately secret from even myself. I just wanted to have it magically work for them without troubling them about it. I pride myself on making sure my users are inconvenienced as little as possible.

And yeah, I also really wanted to see, technically, what it took to brute force my network's accounts. It's something I'd never done before and I wanted to know just how secure it really was. In the process, I've learned some pretty interesting things about NT/Lanmanager authentication and passwords. And I've got some nifty new tools in my toolkit now. So it's been worth it.

All I want to do is set up my current users ...

Maybe he just meant reset the passwords that were given to him by the other sysadmin, but that's not how I read it. Regardless, you could send those encrypted passwords to the other sysadmin. I'm laboring under the assumption that you can't do this under Windows due to the SAM(?) being an effectively uneditable binary file, but I could be wrong.

I didn't want to make the users uneasy about giving out a password that I previously kept deliberately secret from even myself.

Funny how the key to making the users felt secure was to break their codes. Just another case of what you don't know not hurting you . . .

I really didn't want to do all that leg work, I didn't want to make the users uneasy about giving out a password that I previously kept deliberately secret from even myself.

And they aren't made more uneasy that J Random password cracking program off the internet can open every account in the company?

Peter